Generating PGP 2.6.2-compatible RSA signing keys with GnuPG

David Shaw dshaw at jabberwocky.com
Thu Mar 28 22:32:01 CET 2002


On Thu, Mar 28, 2002 at 02:36:38PM -0500, Michael Young wrote:
> > From: Werner Koch <wk at gnupg.org>

> > I'd suggest that you either create the key using PGP2, continue to use
> > an old one or send private mail to discuss whether I can provide an
> > inofficial patch for this.
> 
> Here, the user appears willing to live with the identification issue.
> Others are using PGP2.6 anyway, so they already have to be (or should
> be) careful with identification.  Their key distribution and
> verification may not depend on keyId or fingerprint behavior.
> 
> If someone is willing to make an patch for it, I would plead for
> making it official.  I would not make it easy -- a separate switch
> ("--gen-v3-key") and requiring the "--expert" switch seems reasonable.

I'm on the fence with this.  I've seen enough requests for it that I'm
fairly sure that a suitably buried (--expert & --pgp2 & warning) v3
key generation would be useful.  That's the whole idea of --expert
anyway: to enable doing silly/broken/incompatible things that only
people who know what they are doing should do.  The fact that it would
be "useful" is also what worries me...

The code change itself is pretty trivial - there would be more code
added to print suitably lurid warning messages than there would be
added to support generating v3 keys :)

With regards to using v3 keys on Usenet control messages, while I
think that v3 keys were deprecated for many good reasons, I have some
experience with this usage and it's one of the few things I'd be
content using v3 keys for.  There is such a large installed base of
(sometimes half-forgotten) news servers still running PGP 2 that it's
safe to say that upgrading any time soon is just not in the cards.

Russ, what I'd ask you to do is to send each gnu.* control message
twice - each signed with a different (one v3, one v4) key.  At least
then Usenet can start on the path of using v4 keys.

David

-- 
   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson




More information about the Gnupg-devel mailing list